On 5/17/12 4:57 PM, security curmudgeon wrote:
> On Thu, 17 May 2012, Booth, Harold wrote:
>
> : > However, if you say "CVE, monitor ProductX", and due to an incomplete list of sources
> : > being monitored, they end up issuing an ID for only 70% of the vulnerabilities disclosed
> : > in ProductX, has that met your need?
> :
> : No, it has not. But then CVE and everyone else will know that, since the
> : goal has been defined in terms of "monitor ProductX". Changes to process
> : and tools will be made to get the number closer to 100%. If the goal is
> : defined as "monitor sources X, Y and Z" which result in an ID for 70% of
> : the vulnerabilities disclosed for ProductX there is likely no explicit
> : step in the process to improve coverage of ProductX. "What gets
> : measured, gets done," and I believe measuring in terms of products
> : instead of sources will lead to more desirable results.
>
> That is a good point, but not sure if either of us can justify our
> positions short of "CVE would have to try it" =)
>
> In my mind, if you monitor the right sources, you approach 100% for more
> products in a repeatable fashion, than if you try to go off a list of
> products first.
I'm being a bit of a jerk on purpose, but I have a gmail account that is
subscribed to a bunch of vul mailing lists and feeds. CVE should
monitor that list, and only that list.
The owner or users of a source (whomever can post content) decide what
products are covered.
Talking about sources is a reasonable (and practical) proxy for talking
about products. But in strict requirements terms, coverage should be
about products, or types of vulnerabilities, or languages.
- Art